zitadel/.github/workflows/container.yml

name: Container

on:
  workflow_call:
    inputs:
      build_image_name:
        required: true
        type: string
    outputs:
      build_image:
        value: '${{ inputs.build_image_name }}:${{ github.sha }}'

permissions:
  packages: write

env:
  default_labels: |
    org.opencontainers.image.documentation=https://zitadel.com/docs
    org.opencontainers.image.vendor=CAOS AG

jobs:
  build:
    name: zitadel
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        arch: [amd64,arm64]
    steps:
      - 
        uses: actions/checkout@v4
      -
        name: Scratch meta
        id: scratch-meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ inputs.build_image_name }}
          labels: ${{ env.default_labels}}
          tags: |
            type=sha,prefix=,suffix=,format=long
      -
        name: Debug meta
        id: debug-meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ inputs.build_image_name }}
          labels: ${{ env.default_labels}}
          tags: |
            type=sha,prefix=,suffix=-debug,format=long
      - 
        name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - 
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      -
        name: Login to Docker registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - 
        uses: actions/download-artifact@v5
        with:
          path: .artifacts
          name: zitadel-linux-${{ matrix.arch }}
      -
        name: Unpack executable
        run: |
          tar -xvf .artifacts/zitadel-linux-${{ matrix.arch }}.tar.gz
          mv zitadel-linux-${{ matrix.arch }}/zitadel ./zitadel
      - 
        name: Debug
        id: build-debug
        uses: docker/build-push-action@v6
        timeout-minutes: 3
        with:
          context: .
          cache-from: type=gha
          cache-to: type=gha,mode=max
          file: build/zitadel/Dockerfile
          target: artifact
          platforms: linux/${{ matrix.arch }}
          push: true
          labels: ${{ steps.debug-meta.outputs.labels }}
          outputs: type=image,name=${{ inputs.build_image_name }},push-by-digest=true,name-canonical=true,push=true
      - 
        name: Scratch
        id: build-scratch
        uses: docker/build-push-action@v6
        timeout-minutes: 3
        with:
          context: .
          cache-from: type=gha
          cache-to: type=gha,mode=max
          file: build/zitadel/Dockerfile
          target: final
          platforms: linux/${{ matrix.arch }}
          push: true
          labels: ${{ steps.scratch-meta.outputs.labels }}
          outputs: type=image,name=${{ inputs.build_image_name }},push-by-digest=true,name-canonical=true,push=true
      -
        name: Export debug digest
        run: |
          mkdir -p /tmp/digests/debug
          digest="${{ steps.build-debug.outputs.digest }}"
          touch "/tmp/digests/debug/${digest#sha256:}"
      -
        name: Export scratch digest
        run: |
          mkdir -p /tmp/digests/scratch
          digest="${{ steps.build-scratch.outputs.digest }}"
          touch "/tmp/digests/scratch/${digest#sha256:}"
      -
        name: Upload digest
        uses: actions/upload-artifact@v4
        with:
          name: digests-${{ matrix.arch }}
          path: /tmp/digests
          if-no-files-found: error
          retention-days: 1
  
  merge:
    runs-on: ubuntu-latest
    needs:
      - build
    strategy:
      fail-fast: false
      matrix:
        image: [scratch, debug]
        include:
          - image: scratch
            suffix: ''
          - image: debug
            suffix: '-debug'
    steps:
      -
        name: Download digests
        uses: actions/download-artifact@v5
        with:
          pattern: digests-*
          path: /tmp/digests
          merge-multiple: true
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      -
        name: Login to Docker registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      -
        name: Docker meta
        id: build-meta
        uses: docker/metadata-action@v5
        with:
          images: '${{ inputs.build_image_name }}'
          tags: |
            type=sha,prefix=,suffix=${{ matrix.suffix }},format=long
      -
        name: Create build manifest list and push
        working-directory: /tmp/digests/${{ matrix.image }}
        run: |
          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< '${{ steps.build-meta.outputs.json }}') \
            $(printf '${{ inputs.build_image_name }}@sha256:%s ' *)
      -
        name: Inspect build image
        run: |
          docker buildx imagetools inspect ${{ inputs.build_image_name }}:${{ github.sha }}${{ matrix.suffix }}